In wireless communication, security is an important issue since conveying information over the air makes it possible to illicitly intercept and/or modify the communicated information. Therefore, the information is typically encrypted and/or integrity protected before being sent over the air. The prevailing communication standards of today for radio communication involves various security methods and routines. For example, mobile (or cellular) access networks according to GSM (Global System for Mobile communications), GPRS (General Packet Radio Service) and UMTS (Universal Mobile Telecommunications System) utilise two keys referred to as Ck and Ik, to ensure integrity and for encrypting information communicated over radio channels between a particular mobile terminal and the mobile network.
In UMTS, each mobile terminal shares a unique pair of keys Ck and Ik with the network which can be used for encrypting payload data as well as various signalling messages, and also for verifying the identity of the terminal, referred to as integrity. The keys Ck and Ik to be used in a session are established during a registration stage when the terminal attaches to the network, which will be referred to as key agreement in this description. It should be noted that a mobile terminal can be in two different modes referred to as the idle mode when it has been registered as present in the network but is not involved in a session of transmitting/receiving data, and the active mode when it transmits/receives data in a session.
The information communicated over the air between a mobile terminal and a base station is conventionally divided into three main categories: 1) payload data, also referred to as “user plane” data, 2) NAS (Non-Access Stratum) signalling which is information related to, e.g., security including authentication and encryption, and 3) RRC (Radio Resource Control) which is information related to radio communication including channel specifics, modulation and multiplexing schemes, power regulation, signal measurements, etc.
In so-called 3G-systems according to UMTS, the user plane data is typically conveyed over four different nodes in the access network: the base station (also referred to as NodeB), the RNC (Radio Network Controller) the SGSN (Serving GPRS Support Node) and the GGSN (Gateway GPRS Support Node), of which the base stations and RNC constitute a radio network part and the SGSN and GGSN constitute a core network part. In 3G systems, all encryption/decryption of user plane data, NAS and RRC is executed by the RNC and the terminal, whereas in traditional GSM systems, the encryption is handled by the base stations.
Currently, a new network architecture is being developed to provide so-called “evolved 3G access”, as illustrated in FIG. 1, based on 3GPP (Third Generation Partnership Project). The new architecture basically comprises two node types including “evolved” base stations 100 in the radio network part connected to a central access control gateway AGW 102 in the core network part by means of the well-known S1 interface. An access network may contain plural AGW nodes serving different geographic areas. The AGW node is connected to various different external networks 104 using well-known interfaces, including the Internet (using the Gi interface), other 3GPP networks (using the Gn interface) and non-3GPP networks (using the S2 interface), and includes certain functions similar to those currently implemented in the RNC, SGSN and GGSN.
In particular, security processing related to encryption and integrity will take place in the base station 100 and the AGW node 102. Basically, the encryption of user plane data, and potentially also the NAS signalling, will be handled by the AGW node 102, whereas the protection of the RRC signalling will be handled by the base stations 100. The initial process of authenticating the subscriber and key agreement will take place between a SIM (Subscriber Identity Module) in the terminal and the AGW node, and is often referred to as AKA (Authentication and Key Agreement). Thus, the above-mentioned keys Ck and Ik may be established by the terminal and the AGW node during the AKA process.
In order to provide interoperability between different network architectures, it is highly desirable that security components and routines of existing 3G systems can be reused in the above-described two-node architecture as well, including maintaining the AKA process. Consequently, there is a need to provide security keys for both the base station and the AGW node, preferably based on the above keys Ck and Ik. In the base station a key is needed to protect the RRC signalling, and in the AGW node a key is needed to protect the NAS signalling as well as the user plane data.
Although it would be possible to send a copy of, e.g., Ik to the base station and use the same key in both the base station and the AGW node, this may result in certain drawbacks. Firstly, a local base station is somewhat vulnerable to illicit attacks by being typically situated at easily accessed and unguarded places, as compared to the more centralized AGW node which can be installed wholly protected. Therefore, there is a risk that the Ik key is intercepted at the base station such that the NAS signalling can be illicitly detected. It should be noted in this context that the sensitive NAS information generally demands a higher degree of security than the RRC information. However, the RRC signalling may include a terminal identifier which makes it desirable to protect anyway.
Secondly, it may be difficult to obtain satisfactorily protection for the case when intercepted information is recorded and replayed later (so-called replay attacks), if the same key is used for two different purposes which provides plural opportunities to detect the used key. Therefore, if Ik is reused in the base station, it is required that the AGW node at least applies some one-way function f to Ik before sending it in a thus modified form f(Ik)=Ik′ to the base station.
However, if Ik′ is intercepted at a base station during a session, this security flaw will persist even if the session is handed over to a new base station, i.e. as long as Ik′ is used. This problem can be avoided if the AKA process is repeated at regular intervals (e.g. triggered by hand-over), which however may disturb the session, thus significantly impacting a desirable seamless behaviour of services.
It is therefore desirable to avoid persistent insecurity following a key interception as the terminal moves between different service points, i.e. base stations, yet without requiring extra operations such as the establishment of new keys in a re-authentication according to the AKA process. An attempt to meet these objects has been made involving a new type of key that is shared between the base station and the AGW node, according to a proposed procedure described below with reference to FIG. 2.
FIG. 2 illustrates a mobile terminal 200 and a mobile access network including a plurality of base stations of which two are shown, BS1 202 and BS2 204, which are connected to a central AGW node 206, in accordance with the two-node architecture shown in FIG. 1. In this proposal, each base station in the network covered by the AGW node 206 share a predefined key with the AGW node. As indicated in the figure, base stations 202 and 204 thus share predefined keys k1 and k2, respectively, with AGW node 206.
First, terminal 200 attaches to the network by radio connection with BS1 202, thereby being the serving base station, and the conventional keys Ck and Ik are established by means of the AKA process, in a first step 2:1.
In order to establish further protection, the AGW node 206 will then look up the key k1 of BS1. Furthermore, the AGW node will also look up the corresponding key of a suitable number of “neighbouring” base stations, i.e. base stations located in the neighbourhood of the serving base station BS1 to which the terminal might be handed over to when moving during a session, including BS2 204. The neighbouring base stations should be selected as covering a reasonable area in which the terminal is expected to be. Around 5-10 base stations may be considered as neighbouring base stations, e.g. depending on their cell sizes.
Next, the AGW node 206 uses the Ik key established for the terminal 200, to create a modified key specifically for each base station, by applying a predetermined function f with the Ik key and a base station identity “BS” as input, as follows: Ik1=f(Ik, “BS1”) is created for BS1, Ik2=f(Ik, “BS2”) is created for BS2, and in general, Ikj=f(Ik, “BSj”) is created for base station j. It should be noted that the predetermined function f is also known to the terminal, which will be utilised as described below.
Each produced modified Ik key Ik1, Ik2 . . . Ikj is then “wrapped” (i.e. encrypted) by the key k shared with the corresponding base station, altogether making up a set of individually wrapped keys for all base stations (the serving one and the neighbouring ones): Encr(k1, Ik1), Encr(k2, Ik2) . . . Encr(kj, Ikj). In the following, “K” will be used for short to represent the complete set of all these wrapped keys. The whole process of creating K as described above is illustrated by a step 2:2 in the figure.
According to the proposed procedure, the AGW node 206 now transfers the entire key-set K to the serving base station BS1 202, in a following step 2:3. BS1 can then decrypt the component of K corresponding to Encr(k1, Ik1) using its unique key k1, to extract the above-mentioned modified Ik key Ik1 originally created for that base station, in a next step 2:4, to be shared with the terminal. BS1 also stores the entire key-set K for future use.
Since the terminal naturally knows its original Ik key and the identity of the serving base station “BS1”, it can derive the same modified Ik key Ik1 by applying the function f: Ik1=f(Ik, “BS1”), in connection with starting a communication session, as shown in step 2:5. Hence, a modified key Ik1 has now been established that is unique for this particular combination of terminal and base station, based on the terminal-unique key Ik and base station-unique identity “BS1”. The key Ik1 can now be used by terminal 200 and base station 202 to protect the RRC signalling during the session, as long as terminal 200 stays connected to base station 202.
If the terminal at some point during the session moves to be handed over to a new base station, in this case BS2 204 as illustrated by the dashed arrow, the old BS1 202 transfers the entire key-set K to BS2 204, in a step 2:6. Using the received key-set K, BS2 204 can similarly extract its own modified Ik key Ik2 in a step 2:7. The terminal will also derive Ik2 using the function f(Ik, “BS2”), in a step 2:8, to be used as a key for encryption and/or integrity in further communication.
The above-described proposed procedure of establishing a modified Ik key can also be used to establish a modified Ck key that is unique for each particular combination of terminal and base station, in order to provide more reliable protection of user plane communication and the sensitive NAS signalling.
Thus, the above-described prior art solution provides keys unique to each base station-terminal combination. Even if at some point a key Ikx used in one cell x (i.e. base station) is illicitly intercepted, a new key Iky will be used instead as soon as a hand-over occurs to another cell y, and the security flaw does not persist. Hence, the solution in FIG. 2 provides backwards as well as forwards security whenever the serving base station is changed.
However, there are some significant problems associated with the above solution. It is generally quite complex since new Ik keys must be calculated and wrapped for a significant number of base stations of which only a few will be used, if any at all. Further, the AGW node needs to “predict” which base stations that might possibly be involved in future hand-overs, which is more or less haphazard as the terminal may move in unexpected directions. If the terminal swiftly moves out of the area covered by the collection of selected neighbouring base stations included in key-set K, the process must start all over again to obtain a key-set K for a new area. Moreover, serving base stations are required to store the entire key-set K, and not only its “own” key, and to transfer it to the next base station upon hand-over.
It is generally desirable to obtain a simple yet reliable way of using keys for encryption and/or integrity protection, particularly when a communication terminal switches communication from one service point to another service point. More specifically, it would be beneficial to avoid the need for hand-over predictions and to reduce the number of keys that must be handled by base stations or other service points. It is also desirable to provide backward security when switching service points, and forward security when a terminal starts a session, e.g. goes from idle mode to active mode, with a minimum of service impact.
Although the background description above has been focused on mobile terminals using base stations in a 3G network as service points, the discussed issues may be relevant for other mobile (or cellular) access networks as well, and also for fixed access networks using wired connections such as DSL (Digital Subscriber Line), PON (Passive Optical Network) and DOCSIS (Data Over Cable Service Interface Specification). For example, the above-mentioned AKA process may thus be replaced by other similar processes for establishing one or more keys to be used in session communications, depending on the prevailing network routines. Further, viewing “access” or “connectivity” as a general service, the present invention can also be applied to other communication services, e.g. data streaming, etc.